allow bridge filter rules to specify a tag.

if a packet matches such a rule it is tagged accordingly and pf can
filter based on that tag.
this allows, for example, bridge to be used as classifier for pf, and thus
gives all the power of pf based on mac address filters.

please note that currently the bridge filters only apply to packets
which are not destined for the local host.

ok deraadt@ jason@ dhartmei@

2 files changed, 32 insertions, 8 deletions

diff --git a/sbin/brconfig/brconfig.8 b/sbin/brconfig/brconfig.8
index 5ef2690939d..27e2aeeafd4 100644
--- a/sbin/brconfig/brconfig.8
+++ b/sbin/brconfig/brconfig.8
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: brconfig.8,v 1.44 2003/06/03 13:16:07 jmc Exp $
+.\"	$OpenBSD: brconfig.8,v 1.45 2003/06/25 09:44:55 henning Exp $
 .\"
 .\" Copyright (c) 1999-2001 Jason L. Wright (jason@thought.net)
 .\" All rights reserved.
@@ -43,6 +43,7 @@
 .Ar interface-name
 .Op Ar src address
 .Op Ar dst address
+.Op Ar tag tagname
 .Sh DESCRIPTION
 The
 .Nm brconfig
@@ -208,9 +209,12 @@ Rules have a similar syntax to
 .Xr pf 4 .
 Rules can be used to selectively block or pass frames based on Ethernet
 MAC address.
+They can also tag packets for
+.Xr pf 4
+to filter on.
 Rules are processed in the order in which they were added
 to the interface, and the first rule matched takes the action (block or pass)
-of the rule.
+and, if given, the tag of the rule.
 If no source or destination address is specified, the
 rule will match all frames (good for creating a catchall policy).
 .It Cm rulefile Ar filename
diff --git a/sbin/brconfig/brconfig.c b/sbin/brconfig/brconfig.c
index 51ebd3dcccb..ea9e96f4d46 100644
--- a/sbin/brconfig/brconfig.c
+++ b/sbin/brconfig/brconfig.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: brconfig.c,v 1.25 2003/06/02 18:44:35 jason Exp $	*/
+/*	$OpenBSD: brconfig.c,v 1.26 2003/06/25 09:44:55 henning Exp $	*/
 
 /*
  * Copyright (c) 1999, 2000 Jason L. Wright (jason@thought.net)
@@ -1155,6 +1155,8 @@ bridge_showrule(struct ifbrlreq *r, char *delim)
 		printf(" src %s", ether_ntoa(&r->ifbr_src));
 	if (r->ifbr_flags & BRL_FLAG_DSTVALID)
 		printf(" dst %s", ether_ntoa(&r->ifbr_dst));
+	if (r->ifbr_tagname[0])
+		printf(" tag %s", r->ifbr_tagname);
 
 	printf("\n");
 }
@@ -1177,6 +1179,7 @@ bridge_rule(int s, char *brdg, int targc, char **targv, int ln)
 		fprintf(stderr, "invalid rule\n");
 		return (EX_USAGE);
 	}
+	rule.ifbr_tagname[0] = 0;
 	rule.ifbr_flags = 0;
 	rule.ifbr_action = 0;
 	strlcpy(rule.ifbr_name, brdg, sizeof(rule.ifbr_name));
@@ -1223,6 +1226,21 @@ bridge_rule(int s, char *brdg, int targc, char **targv, int ln)
 				goto bad_rule;
 			rule.ifbr_flags |= BRL_FLAG_SRCVALID;
 			dea = &rule.ifbr_src;
+		} else if (strcmp(argv[0], "tag") == 0) {
+			if (argc < 2) {
+				fprintf(stderr, "missing tag name\n");
+				goto bad_rule;
+			}
+			if (rule.ifbr_tagname[0]) {
+				fprintf(stderr, "tag already defined\n");
+				goto bad_rule;
+			}
+			if (strlcpy(rule.ifbr_tagname, argv[1],
+			    PF_TAG_NAME_SIZE) > PF_TAG_NAME_SIZE) {
+				fprintf(stderr, "tag name too long\n");
+				goto bad_rule;
+			}
+			dea = NULL;
 		} else
 			goto bad_rule;
 
@@ -1230,12 +1248,14 @@ bridge_rule(int s, char *brdg, int targc, char **targv, int ln)
 
 		if (argc == 0)
 			goto bad_rule;
-		ea = ether_aton(argv[0]);
-		if (ea == NULL) {
-			warnx("Invalid address: %s", argv[0]);
-			return (EX_USAGE);
+		if (dea != NULL) {
+			ea = ether_aton(argv[0]);
+			if (ea == NULL) {
+				warnx("Invalid address: %s", argv[0]);
+				return (EX_USAGE);
+			}
+			bcopy(ea, dea, sizeof(*dea));
 		}
-		bcopy(ea, dea, sizeof(*dea));
 		argc--; argv++;
 	}